The IAPP Europe Data Protection Congress 2014 in Brussels had more takeaways for privacy professionals than from a frites stall on the Grand Place. The big stories, however, were the progress report on the EU General Data Protection Regulation, the continuing debate on the right to be forgotten and questions raised around the future of the EU-US Safe Harbor decision.
The Regulation: Are we there yet?
Luca de Matteis, from the Italian Presidency of the Council of the European Union, gave the keynote address to roughly 900 people. He confirmed that the Presidency will present a partial general approach on the public sector aspects of the regulation to the Council of Ministers on 4-5 December. Good progress has also been made on the controversial regulatory one-stop shop; the Council of the European Union’s expert working group on data protection, DAPIX, had been working hard to reach agreement on this seemingly insoluble issue. De Matteis said that this was a complex piece of legislation which will have to fit in with existing systems, and that accusations of foot-dragging aimed at the Council were far from the truth.
De Matteis was sanguine that good progress would be demonstrated on a partial general approach to the one-stop shop, but equivocal on whether the approach would be put to the ministers. Discussions were ongoing that day at DAPIX, just a mile down the road, but the building blocks of the text are falling into place one by one.
About forgetting and feeling safe
During a feisty session on the right to be forgotten, it became clear that the exact scope and meaning of the European Court of Justice's controversial verdict is far from settled. One member of the panel asserted that the verdict was relevant to one specific matter. But as the Council of Ministers were recently told by their own legal service, the verdict is "on the principle" and gives primacy to the right to privacy over other rights — which means that the principle is likely to continue to cause controversy.
The future of the EU-US Safe Harbor framework featured in a number of discussions at the Congress. Ted Dean from the US Department of Commerce said that it was important that the Safe Harbor continued to develop as a tool to build bridges between the different approaches to data protection on either side of the Atlantic. However, when the question of the national security exemption was raised by Isabelle Falque-Pierrotin, the president of the CNIL and A29 Working Party chair, FTC Commissioner Julie Brill said that this topic was not within either the FTC’s remit CNIL’s or, for that matter, the European Commission’s DG Justice (which had a year ago presented 13 recommendations to the US government for reforming Safe Harbor). In other words, the data protection authorities may have a long wait ahead of them before getting those answers they are demanding, and simple geopolitical reality makes it unlikely that a suspension of Safe Harbor will take place. One possible result is a compromise in which on the one hand the EU is assured by the US inter alia that enforcement will be increased and on the other hand the transatlantic business community gets the continued legal certainty they require.
A panel at the end of the conference — Omer Tene, Eduardo Ustaran, Ralf Brendrath and Max Schrems — debated another angle of Safe Harbor. Schrems said that even if the European Commission’s 13 recommendations were agreed, the problem would still not be solved. Schrems had initiated an action in Ireland that had wended its way to the European Court of Justice (Case C-362/14). The ECJ would consider the fundamental question as to whether the Safe Harbor decision itself provided adequate protection for EU residents when their personal data are transferred to the U.S. If the ECJ finds that it does not, then Safe Harbor could be in trouble regardless of the EU-U.S. negotiations on the European Commission’s own recommendations.
The key takeaways for privacy professionals from these discussions are that they should monitor the situation in case they need to think about alternative bases for transfers, and they should also review compliance with the current framework in the light of increased FTC enforcement activity.
2015: A crucial year for European privacy law
As Congress delegates headed home, the negotiations continued elsewhere in Brussels. The frequency and pace of the DAPIX meetings under the Italian Presidency has been intense. The Council of Ministers meeting on 4-5 December will show us how successful they have been in moving the regulation forward. And as we have already made clear on these pages, 2015 is looking to be a crucial year for European privacy law.